Is the Cloudbleed Bug Putting Vendor-Held Data at Risk?

A security flaw is once again forcing us to change our passwords and contact vendors.

Nearly 3,400 websites, including Uber, Bain Capital, Security Scorecard, Bitsight, and Fitbit,[i] may have been affected by “cloudbleed,” a vulnerability affecting user data at sites using the Cloudflare security service. User data at these sites was published to the public by mistake, possibly including logins and passwords for the affected websites.

Cloudflare has explained that the cloudbleed problem began with a security issue with their edge servers that caused corrupted web pages to be returned by some HTTP requests run through its service.

While Cloudflare has fixed the code causing the problem and reports that it hasn’t yet discovered any evidence of malicious exploits taking advantage of the problem, we’re not out of the woods yet. Search engines have already cached many of the affected pages, including those with sensitive data. These crawlers have likely already collected the data and may not yet realize the significance of the information they have stored on their servers.

What should you do to address the cloudbleed security risk? Poll your vendors to determine if they were affected.